Cafe OS is the operating system running on the PowerPC in Wii U mode. It consists of the Cafe OS kernel, the executable loader, and system libraries. Unlike on the Wii, where each game provided its own copy of Revolution OS with no isolation between libraries, Wii U applications run under the supervision of a common PowerPC kernel, isolating them from each other. All applications are modified ELFs, as are the libraries themselves, and applications dynamically link with them to gain access to OS services. Cafe OS also contains a few system processes, like the home menu and error handler.

Kernel

The kernel runs in supervisor mode on the PowerPC, and performs the basic tasks of a microkernel. It is responsible for process isolation, memory management, and interrupt dispatching, as well as communication with IOSU. Cafe OS applications run as user mode processes, with separate address spaces and W^X memory protection.

Syscalls

Cafe OS syscalls are issued by doing the following:

li r0, 0x0100 # load syscall value->r0
sc            # syscall instruction
blr           # return control to program

When you send a call to the kernel, it goes to 0xFFF00C00, which then jumps to 0xFFF021A0 + (fastcall << 5).

Normal syscalls are divisible by 0x100, so all of them will jump to 0xFFF0021A0 itself, which is a jump to the table dispatcher.

The dispatcher uses a RAMPID and the syscall dispatch tables at 0xFFEAAA40 (user table in 5.5.1) and 0xFFE84850 (loader table in 5.5.1) to get the secondary table each RAMPID is able to access.

RAMPIDs 0 (Kernel), 2, and 3 all use an empty table, while RAMPID 1 (root.rpx) has its own table with a few unique calls. RAMPIDs 4 (background app), 5 (home menu), and 6 (error display) share the same table and RAMPID 7 (foreground app) has it's own.

Below is a list of what all of them, as well as the loader which has its own bare-bones table, have access to call. (sp) indicates that the loader uses a separate function for that syscall. Additionally, the loader uses the same function for IPCKDriver_Open/Close.

#	Name	root	Sys	App	Ldr
0x0	ConsoleWrite	X	X	X	X (sp)
0x100	AppPanic	X	X	X	X
0x200	EffectiveToPhysical	X	X	X
0x300	PhysicalToEffectiveCached	X	X	X
0x400	PhysicalToEffectiveUncached	X	X	X
0x500	ValidateAddressSpaceRange	X	X	X	X
0x600	UpdateCoretime	X	X	X
0x700	-	-	-	-	-
0x800	SetUserModeExHandler	X	X	X
0x900	-	-	-	-	-
0xA00	-	-	-	-	-
0xB00	AllocateTimer	X	X	X
0xC00	FreeTimer	X	X	X
0xD00	PrimeTimer	X	X	X
0xE00	StopTimer	X	X	X
0xF00	DynLoad_DumpModuleList	X	X	X
0x1000	SetInterruptHandler	X	X	X
0x1100	GetInterruptHandler	X	X	X
0x1200	DisableInterrupt	X	X	X
0x1300	EnableInterrupt	X	X	X
0x1400	ClearAndEnableInterrupt	X	X	X
0x1500	GetInterruptStatus	X	X	X
0x1600	ClearInterruptStatus	X	X	X
0x1700	FindClosestSymbol	X	X	X	X (sp)
0x1800	Test_Assist
0x1900	Exit	X	X	X
0x1A00	GetInfo	X	X	X
0x1B00	SetInfo	X	X	X
0x1C00	ReleaseCore	X	X	X
0x1D00	SendICI	X	X	X
0x1E00	IPCKDriver_{Loader|User}Open	X	X	X	X (sp)
0x1F00	IPCKDriver_{Loader|User}Close	X	X	X	X (sp)
0x2000	IPCKDriver_SubmitRequest	X	X	X	X (sp)
0x2100	-	-	-	-	-
0x2200	GetEnvironmentVariable	X	X	X
0x2300	-	-	-	-	-
0x2400	-	-	-	-	-
0x2500	-	-	-	-	-
0x2600	-	-	-	-	-
0x2700	Proc_GetNotifyTarget	X	X	X
0x2800	Proc_ReleaseForeground	X	X	X
0x2900	Proc_GetForegroundBucket	X	X	X
0x2A00	Proc_RequestSwitch	X	X	X
0x2B00	LaunchTitleArgvStr	X	X	X
0x2C00	Proc_YieldCore	X	X	X
0x2D00	-	-	-	-	-
0x2E00	Proc_GetSystemMessage	X	X	X
0x2F00	Proc_GetCallArgs	X	X	X
0x3000	GetAbsoluteSystemTimeInternal	X	X	X
0x3100	SetAbsoluteSystemTimeInternal	X	X	X
0x3200	Drivers_GetInstance	X	X	X
0x3300	Drivers_PurgeMaster	X	X	X
0x3400	-	-	-	-	-
0x3500	-	-	-	-	-
0x3600	-	-	-	-	-
0x3700	-	-	-	-	-
0x3800	AllocVirtAddr	X	X	X
0x3900	FreeVirtAddr	X	X	X
0x3A00	GetMapVirtAddrRange	X	X	X
0x3B00	GetDataPhysAddrRange	X	X	X
0x3C00	GetAvailPhysAddrRange	X	X	X
0x3D00	MapMemory	X	X	X
0x3E00	UnmapMemory	X	X	X
0x3F00	LogBuffer	X	X	X	X
0x4000	LogArgs	X	X	X	X
0x4100	LogFunc	X	X	X	X
0x4200	LogReportKernel	X	X	X	X
0x4300	LogRetrieve	X	X	X	X
0x4400		X	X	X
0x4500		X	X	X
0x4600		X	X	X
0x4700	Drivers_CopyFromSaveArea	X	X	X
0x4800	Drivers_CopyToSaveArea	X	X	X
0x4900	Proc_ReadyToRelease	X	X	X
0x4A00	SetAlarm	X	X	X
0x4B00	SetDABR	X	X	X
0x4C00	SetIABR	X	X	X
0x4D00	Proc_GetProcessInfo	X	X	X
0x4E00	GetCodegenVirtAddrRange	X	X	X
0x4F00	DynLoad_RPLLoaderEntry	X	X	X
0x5000	RPLLoaderResumeContext				X
0x5100	-	-	-	-	-
0x5200	WaitIopComplete				X
0x5300	FlushCode				X
0x5400	FlushData				X
0x5500	UpdateHeartbeat				X
0x5600	LogEntry				X
0x5700	FastClearMemory				X
0x5800	GetBusClockSpeed				X
0x5900	Shared_GetArea	X	X	X
0x5A00	Proc_SendPolicy	X	X	X
0x5B00	GetProcessIndex				X
0x5C00	IPCKDriver_PollLoaderCompletion				X
0x5D00	BlockLogSaveHiLo	X	X	X
0x5E00	FinishInitAndPreload				X
0x5F00	ContinueStartProcess				X
0x6000	OpenMCP				X
0x6100	Proc_QuerySwitchReady	X	X	X
0x6200	Launch	X	X	X
0x6300	Call	X	X	X
0x6400	SetTimeInternal		X
0x6500		X	X	X
0x6600	ProfileEntry				X
0x6700	Proc_RequestExit	X	X	X
0x6800	Proc_CoreInitDone	X	X	X
0x6900	Proc_GetSwitchTarget	X	X	X
0x6A00	Proc_AcquireDone	X	X	X
0x6B00	Proc_GetBuiltSDKVersion	X	X	X
0x6C00	Proc_SystemFatal	X	X	X
0x6D00	-	-	-	-	-
0x6E00	SwitchSecCodeGenMode	X	X	X
0x6F00	IopShell_RegisterCallback	X	X	X
0x7000	Proc_GetTitleVersion	X	X	X
0x7100	Proc_IsTestKernel	X	X	X
0x7200	ForceFullRelaunch	X	X	X
0x7300	Proc_Recycle	X
0x7400	GetFlags	X	X	X	X
0x7500	QueryVirtAddr	X	X	X
0x7600	GetCodegenInfo	X	X	X
0x7700	GetSecCodeGenMode	X	X	X
0x7800	CodegenCopy	X	X	X
0x7900	Proc_LoadShared	X
0x7A00	SetExceptionCallback	X	X	X
0x7B00	IopShell_InjectCommand	X	X	X
0x7C00	Proc_Kill	X	X	X
0x7D00	EnableOverlayArena	X	X	X
0x7E00	DisableOverlayArena	X	X	X
0x7F00	GetSystemMode	X	X	X
0x8000	SystemMode_RegisterCallback	X	X	X
0x8100	ZeroProcessMemory	X
0x8200	HandlePowerEvents				X
0x8300	ConsoleTimestamp	X	X	X	X
0x8400	ValidateOverlayRange				X
0x8500-0xFF00	BadSysCall (jump to null on purpose)	X	X	X	X

Fastcalls

Fastcalls, on the other hand, are system calls that aren't routed through the dispatcher and can be accessed by any RAMPID. Attempting to access an unimplemented fastcall will redirect the code flow to syscall 0x0100 (AppPanic).

Below is a list of all the currently supported fastcalls.

#	Name
0x0	- (default branch to syscall dispatcher)
0x1	SyncEieio
0x2	EnableInterrupts (deprecated, jumps to error)
0x3	DisableInterrupts (deprecated, jumps to error)
0x4	IsInterruptEnabled (deprecated, jumps to error)
0x5	RestoreInterrupts (deprecated, jumps to error)
0x6	LoadContext
0x7	GetMSR
0x8	SetCurrentContext
0x9	GetCurrentFPUContext
0xA	SetCurrentFPUContext
0xB	CompareAndSwapCurrentFPUContext
0xC	WriteGatherInit
0xD	SetPerformanceMonitor
0xE
0xF	(return)
0x10	FlushFPUContext
0x11	ReadRegister32Ex
0x12	WriteRegister32Ex
0x13
0x14
0x15
0x16
0x17	WriteGatherGetPtr
0x18	EnableFPU
0x19	GetSecurityLevel
0x1A-0x1F	BadFastCall (jump to error on purpose)

OSPlatformInfo

This is a structure mapped to address 0x1FFF000 in MEM1 for communicating with the MCP process.

Offset	Size	Description
0x0	0x4	Magic (0x5726)
0x4	0x4	Size (0x40C)
0x8	0x4	Flags
0xC	0x4	ConsoleType
0x10	0x4	Iop2x
0x14	0x4	Bperf
0x18	0x4	PpcSystemClockFrequency
0x1C	0x4	PpcCore0L2Size
0x20	0x4	PpcCore0L2LineSize
0x24	0x4	PpcCore0L2SectorSize
0x28	0x4	PpcCore0L2FetchSize
0x2C	0x4	PpcCore0L2SetAssociativity
0x30	0x4	PpcCore1L2Size
0x34	0x4	PpcCore1L2LineSize
0x38	0x4	PpcCore1L2SectorSize
0x3C	0x4	PpcCore1L2FetchSize
0x40	0x4	PpcCore1L2SetAssociativity
0x44	0x4	PpcCore2L2Size
0x48	0x4	PpcCore2L2LineSize
0x4C	0x4	PpcCore2L2SectorSize
0x50	0x4	PpcCore2L2FetchSize
0x54	0x4	PpcCore2L2SetAssociativity
0x58	0x64	Reserved
0xBC	0x4	PpcCorePropertiesCount
0xC0	0x4	PpcCorePropertiesFlags
0xC4	0x4	PpcMem0Id
0xC8	0x4	PpcMem0BaseAddress
0xCC	0x4	PpcMem0Size
0xD0	0x4	PpcMem1Id
0xD4	0x4	PpcMem1BaseAddress
0xD8	0x4	PpcMem1Size
0xDC	0x4	PpcMem2Id
0xE0	0x4	PpcMem2BaseAddress
0xE4	0x4	PpcMem2Size
0xE8	0x3C	Reserved
0x124	0x4	PpcMemRegionCount
0x128	0x4	PpcMemRegionFlags
0x12C	0x244	Reserved
0x370	0x4	HardwareVersion
0x374	0x8C	Reserved
0x400	0x4	LastPMState
0x404	0x4	CurrentPMState
0x408	0x4	BootPMFlags

Flags

Bits	Description
0-25
26	IsEnterBgNormalMode
27	IsDevMode
28	IsFastRelaunch
29	IsColdBoot
30	IsSynchronousPrintingEnabled
31

Processes

A process in Cafe OS represents a single running application, with its own code, memory, and permissions. Cafe OS only executes the code of a single process at a time, but it can hold the data of multiple processes in memory simultaneously, and switch between them. Rather than allowing arbitrary process creation, there is RAM reserved for a single foreground app, a single background app, and various other special processes. Each running process is assigned a unique identifier called a RAMPID:

RAMPID	Description	IOS Name
0	Cafe OS	COS-KERNEL
1	root.rpx	COS-ROOT
2	???	COS-02
3	???	COS-03
4	Background app	COS-OVERLAY
5	Home Menu	COS-HBM
6	Error display	COS-ERROR
7	Foreground app	COS-MASTER

In addition to RAMPID, Cafe OS processes have another type of process ID called a fixed process ID (PFID). Rather than representing which part of memory a process occupies, PFID actually specifies which specific app/task is running (browser, game, eShop, etc.). Cafe OS maps PFIDs to the RAMPID that they occupy when running (for example, a game is RAMPID 7 due to running in the foreground):

PFID	Description	RAMPID
0	Cafe OS kernel	0
1	root.rpx	1
2	Wii U Menu	7
3	TVii	???
4	E-Manual	???
5	Home Menu	5
6	Error Display	6
7	"MiniMiiverse"	???
8	Internet Browser	4
9	Miiverse	???
10	eShop	???
11	COS-FLV	???
12	Download Manager	???
13	COS-RSVD-13	???
14	COS-RSVD-14	???
15	Game	7

Loader

Main article: Loader

The loader is responsible for loading RPL formatted libraries and executables into memory. It is a standard ELF executable named loader.elf. It includes a statically linked copy of zlib, probably for decompressing sections of RPL files.

Libraries

Cafe OS applications dynamically link with system libraries to get access to OS services. These OS services include memory management, graphics, audio, and controller input. All libraries are RPL files, a modification of the standard ELF format with compressed sections and more Windows-like dynamic linking. The main system libraries are listed below, with some having their own pages of documentation:

• avm.rpl - Audio/Video Manager
• camera.rpl - Gamepad camera
• coreinit.rpl - Kernel, memory, and FS
• dc.rpl - Display Controller
• dmae.rpl - DMA (Direct Memory Access)
• drmapp.rpl - Digital Rights Management
• erreula.rpl - Error Viewer
• gx2.rpl - Graphics
• h264.rpl - Support for H.264
• lzma920.rpl - LZMA compression
• mic.rpl - Gamepad microphone
• nfc.rpl - Low-level NFC library
• nio_prof.rpl - IO Profiler
• nlibcurl.rpl - libcurl 7.21.7, functions match official library, has extra options for curl_easy_setopt
• nlibnss.rpl - libnss
• nlibnss2.rpl
• nn_ac.rpl - Nintendo Network Auto Connection
• nn_acp.rpl - Nintendo Network Account/Access Protection
• nn_act.rpl - Nintendo Network Accounts
• nn_aoc.rpl - Nintendo Network Add-On Content
• nn_boss.rpl - Nintendo Network BOSS (SpotPass)
• nn_ccr.rpl
• nn_cmpt.rpl - Handles transition into vWii
• nn_dlp.rpl - 3DS Download Play hosting library
• nn_ec.rpl - Nintendo Network E-Commerce
• nn_fp.rpl - Nintendo Network Friend Presence
• nn_hai.rpl - Helper library for interfacing nn_cmpt.rpl with Wii VC titles.
• nn_hpad.rpl - Something related to controllers. Probably for the Gamecube controller adapter?
• nn_idbe.rpl - Downloads and decrypts game icons from an online icon database
• nn_ndm.rpl - Daemons???
• nn_nets2.rpl - More network functions
• nn_nfp.rpl - Nintendo Network Nintendo Figurine Platform (Amiibo)
• nn_nim.rpl
• nn_olv.rpl - Olive/OLV - Miiverse
• nn_pdm.rpl - System Play related data (play times etc.)
• nn_save.rpl - Savefile access
• nn_sl.rpl
• nn_spm.rpl - Storage related functions (USB?)
• nn_temp.rpl - TEMP library (for temporary files)
• nn_uds.rpl - Library for hosting 3DS Local-WLAN networks
• nn_vctl.rpl
• nsysccr.rpl - DRH communication (input and RPC)
• nsyshid.rpl - Human Interface Device library
• nsyskbd.rpl - USB keyboard library
• nsysnet.rpl - BSD sockets, network configuration, and SSL
• nsysuhs.rpl - Low-level USB access
• nsysuvd.rpl
• ntag.rpl - NTAG high level NFC library
• padscore.rpl - Wii Remote and Balance Board
• proc_ui.rpl
• snd_core.rpl - Sound-1 Core
• snd_user.rpl - Sound-1 User
• sndcore2.rpl - Sound-2 Core
• snduser2.rpl - Sound-2 User
• swkbd.rpl - Onscreen keyboard
• sysapp.rpl
• tcl.rpl - Texture Core library
• tve.rpl - TV Engine
• uac.rpl - DRH communication (Gamepad microphone)
• uac_rpl.rpl
• usb_mic.rpl
• uvc.rpl - DRH communication (Gamepad camera)
• uvd.rpl - AMD's OpenVideo Decode library, with some different function names
• vpad.rpl - Gamepad input
• vpadbase.rpl - Gamepad base library
• zlib125.rpl - ZLIB 1.2.5, functions match official library

Virtual Memory Map

Virtual address start	Virtual address size	Physical address start	Flags	Description
0x1000000	0x800000	0x32000000	0x2CE08002	Loader and system libraries
0x1800000	0x20000	0	0x28101200	This is the codegen/JIT memory area, only available under processes which have it enabled under cos.xml (the size comes from cos.xml too)
0x2000000 (variable)	0xE000000 (variable)	0x72000000 or 0xB2000000 (variable)	0x2CF09400	App executable and libraries (start varies, but end is always 0x10000000)
0x10000000	0x52000000 or 0x92000000 (variable)	0x20000000 (variable)	0x28305800	Application/library data area (may be smaller)
0xA0000000	0x40000000	0	0x2000	Overlay of application memory (used by loader?)
0xE0000000	0x4000000	0x14000000	0x28204004	Some sort of hardware communication area
0xE8000000	0x2000000	0xD0000000	0x78200004
0xEFE00000	0x80000	0x1B900000	0x28109010	Loader data area (only mapped when running loader)
0xF4000000	0x2000000	0	0x28204004	MEM1
0xF6000000	0x800000	0x1B000000	0x3CA08002	Loader chunk buffer
0xF8000000	0x3000000	0x18000000	0x2CA08002	Read-only shared data (system fonts mostly)
0xFB000000	0x800000	0x1C800000	0x28200002
0xFC000000	0xC0000	0xC000000	0x70100022	Processor Interface
0xFC0C0000	0x120000	0xC0C0000	0x70100022
0xFC1E0000	0x20000	0xC1E0000	0x78100024	VI
0xFC200000	0x80000	0xC200000	0x78100024	GFXSP
0xFC280000	0x20000	0xC280000	0x78100024	DSP
0xFC2A0000	0x20000	0xC2A0000	0x78100023	GX2 FIFO space? (Radeon PKT3 sent here)
0xFC300000	0x20000	0xC300000	0x78100024
0xFC320000	0xE0000	0xC320000	0x70100022	Espresso eFuses
0xFD000000	0x400000	0xD000000	0x70100022	Latte Registers
0xFE000000	0x800000	0x1C000000	0x20200002
0xFF200000	0x80000	0x1B800000	0x20100040	Kernel heap
0xFF280000	0x80000	0x1B880000	0x20100040
0xFFC00000	0x20000	0xFFC00000	0x8100004	Codegen area used with OSCodegenCopy
0xFFC40000	0x20000	0xFFC40000	0x8100004	Codegen area used with OSCodegenCopy
0xFFC80000	0x20000	0xFFC80000	0x810000C	Codegen area used with OSCodegenCopy
0xFFCE0000	0x20000	0	0x50100004
0xFFE00000	0x20000	0xFFE00000	0x20100040	Kernel ancast image
0xFFE40000	0x20000	0xFFE40000	0x20100040
0xFFE80000	0x60000	0xFFE80000	0x20100040
0xFFEE0000	0x20000	0xFFEE0000	0x20100040
0xFFF00000	0x20000	0xFFF00000	0x20100040
0xFFF60000	0x20000	0xFFE20000	0x20100080
0xFFF80000	0x20000	0xFFE60000	0x2C100040
0xFFFA0000	0x20000	0xFFE60000	0x20100080
0xFFFC0000	0x20000	0x1BFE0000	0x24100002
0xFFFE0000	0x20000	0x1BF80000	0x28100102	Per-thread data (e.g. pointer to thread descriptor and thread queue) at 0xFFFFFFE0 - 0xFFFFFFFC.